A NIS2 readiness checklist for Dutch municipalities

NIS2 turns security expectations that used to be best-practice into obligations. For Dutch municipalities and other public bodies, the hard part is rarely understanding the law — it is producing evidence that your technical measures actually work. This checklist is organised around that gap.

1. Know your attack surface — continuously

You cannot protect what you cannot see. Start with an authoritative, continuously updated inventory of internet-facing assets: domains, subdomains, exposed services, and the cloud accounts behind them. A one-off spreadsheet ages badly; aim for a live picture.

2. Test the measures, don't just document them

A policy that says “we patch within 30 days” is not evidence. A penetration test that confirms the patch closed the issue is. NIS2 supervisors increasingly expect demonstrated effectiveness, not described intent.

• •Annual penetration test of internet-facing systems, with a re-test of fixed findings.
• •Evidence mapped to the relevant NIS2 technical measures, not just an internal ticket number.
• •An attack-path narrative — how individual findings could chain into real impact.

3. Have an incident lane that actually answers

NIS2 introduces tight incident-reporting timelines. Rehearse the first hour: who picks up the phone, who decides, and how you reach external help. If your incident contact is a shared inbox no one watches at 23:00, fix that before anything else.

4. Keep the evidence procurement-ready

Auditors, supervisors, and your own council will ask for proof on short notice. Keep reports, re-test confirmations, and a register of measures in one place, dated and attributable. The goal is that producing evidence is a five-minute task, not a five-day fire drill.

If you want a second pair of eyes on where you stand, our NIS2 readiness assessment maps your technical measures to the obligations and gives you a prioritised, evidence-backed roadmap.